Hey, Is it at all possible for Active Roles to trigger off of a change made in the underlying Active Directory as opposed to within Active Roles itself? Scenario: A computer has BitLocker enabled and the keys are transferred to associated Active Directory computer object. When Active Roles detects that the computer object now has keys or those keys have been updated, a script is triggered to do some thing. I suspect this is not possible because when I check the Change Log in AR, there is no mention of keys being added to the computer object. I understand why this happens and didn't expect to see that in the AR logs, but I am just curious if there are any other methods for detecting something like this. Regards, Todd

This ask can be done in Active Roles in two ways: 1) Via a custom policy script. 2) Via a scheduled Automation Workflow. A custom policy script can be triggered by native changes if the associated policy is set to "Handle changes from DirSync control" For more information, see this solution: Title: Active Roles Provisioning Policies are only triggered by Active Roles clients Solution: 311680 URL: https://support.oneidentity.com/kb/311680 Although an Automation Workflow is not a "triggered change", the end result may be just about the same due to delays resulting from Active Directory replication.

Detect changes that occur in Active Directory (not AR) and trigger an action?

todd harrison over 3 years ago

Hey,

Is it at all possible for Active Roles to trigger off of a change made in the underlying Active Directory as opposed to within Active Roles itself?

Scenario:

A computer has BitLocker enabled and the keys are transferred to associated Active Directory computer object.
When Active Roles detects that the computer object now has keys or those keys have been updated, a script is triggered to do some thing.

I suspect this is not possible because when I check the Change Log in AR, there is no mention of keys being added to the computer object. I understand why this happens and didn't expect to see that in the AR logs, but I am just curious if there are any other methods for detecting something like this.

Regards,

Todd

Top Replies

Parents

0 JohnnyQuest over 3 years ago

This can be done. You just need to enable the detection of changes from the Dirsync control. There is a school of thought that this type of detection can be impactful on the Active Roles Service's performance but it's worth a try as if you are doing this only a limited basis, it's not likely to be a big issue.

You have to enable "Handle changes from DirSync control" option on the policy script that will detect the change.

Here's a discussion of the concept:

www.oneidentity.com/.../setting-a-virtual-attribute-triggered-from-dirsync-change
Cancel
Up +1 Down

Reply

Verify Answer

Cancel
0 todd harrison over 3 years ago in reply to JohnnyQuest
I appreciate both you guys answering!

Based on the KB and the linked forum post I think I understand how it would work.

It appears to basically work the same way it would if you were dealing with ARS directly.

A few additional questions:

Is there a log of for the DirSync? I ask only because I am not entirely sure what attribute I should be checking for. I will do some research to get the exact name of the attribute that AD uses to the store BitLocker key.

Performance wise, I would only be checking on computer objects and I will also implement the check to only process if the BitLocker is created. Do you think this could significantly hurt the performance of AR?

I will be curious to see how this is handled because the values aren't really updated, they are added to.

I will see if I can create just a short dummy script to just test the triggering, I am curious to see how it will.

Thank you for your help guys!

Regards,

Todd
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Terrance.Crombie over 3 years ago in reply to todd harrison

There is no log for the DirSync event, as such, but there is a log for the script module. You can see examine the $Request and other Workflow objects by writing them to a file or by reviewing the Debugging log.

Enable the logging by right-clicking on the script module in the Active Roles Console and go to Properties | Debugging
Cancel
Up +1 Down

Reply

Verify Answer

Cancel
0 todd harrison over 3 years ago in reply to Terrance.Crombie

Brilliant. Thank you kindly sir!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 3 years ago in reply to todd harrison

todd harrison - I implement my own log function in all of my scripts as I find the built-in debug logging very "unfriendly". Here's an example:

function Logit ($Text) # Simple function for creating timestamped log entries
{

$LogPath = "\\ARServer\LogsShare\MyCurrentScriptName\MyCurrentScriptName_log.txt"

$Timestamp = $(Get-Date -Format "MM/dd/yyyy hh:mm:ss").ToString()

$Text = $Timestamp + " " + $Text

Add-Content -Path $LogPath -Value $Text

} # End of Logit function declaration

# Here's some sample code

Function MyPolicyScriptFunction ($Request)
{

$RequestUser = $Request.DN

Logit "In-process user is [$RequestUser]"

}
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest over 3 years ago in reply to todd harrison

todd harrison - I implement my own log function in all of my scripts as I find the built-in debug logging very "unfriendly". Here's an example:

function Logit ($Text) # Simple function for creating timestamped log entries
{

$LogPath = "\\ARServer\LogsShare\MyCurrentScriptName\MyCurrentScriptName_log.txt"

$Timestamp = $(Get-Date -Format "MM/dd/yyyy hh:mm:ss").ToString()

$Text = $Timestamp + " " + $Text

Add-Content -Path $LogPath -Value $Text

} # End of Logit function declaration

# Here's some sample code

Function MyPolicyScriptFunction ($Request)
{

$RequestUser = $Request.DN

Logit "In-process user is [$RequestUser]"

}
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data

Endpoint Privilege Management

Detect changes that occur in Active Directory (not AR) and trigger an action?

Top Replies